home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
TPUG - Toronto PET Users Group
/
TPUG Users Group CD
/
TPUG Users Group CD.iso
/
AMIGA
/
(A)TB
/
(A)TBP.ADF
/
Virus_Check
/
Virus_Checker.doc
< prev
next >
Wrap
Text File
|
1991-06-20
|
29KB
|
593 lines
Virus Checker
This Program
Virus_Checker is a freely distributable, copyrighted piece of
software. You do not have to pay money to use it, and may upload it
wherever you choose, but you are not allowed to sell Virus_Checker
for profit, or include Virus_Checker on a disk which is sold for
profit, without the author's (John Veldthuis) permission. Commodore
New Zealand Have this permission already I can be contacted at the
address below.
Please send me any more viruses so I can update Virus_Checker
John Veldthuis
21 Ngatai Street
Manaia, Taranaki
New Zealand
Phone (0624) 8409
To use, place in your startup-sequence the following line
Virus_Checker
this will run virus_checker
**New features**
New Features added to Virus_Checker are added to the command line
the syntax is Virus_Checker -l### -t### -w### -b -q dirname
where ### is any decimal number
-l### tells Virus_Checker how far from the left edge of the screen to
open the Virus_Checker window
-t### tells Virus_Checker how far down from the top edge of the
screen to open the Virus_Checker window
-w### tells Virus_Checker how wide you want the window. It has a
maximum size of 386 pixels and a minimum of 200. Any numbers out of
this range are ignored
-b tells Virus_CHecker to send it's window to the back of all the
other open windows
-q Virus_Checker will check all memory, files, and disks for
viruses then exit. To check a HD and exit do the following
Virus_Checker -q dh0:
This will check memory, disks, files, and dh0:, then exit
dirname is the directory you want checked for File Viruses on startup
An example to open the window at x/y postion of 200/100 and
check DH0: is Virus_Checker -l200 -t100 dh0:
Any values outside the size of the WB screen are ignored and any non
numerical values are ignored. There must be no spaces between the
options and the numbers. Options may be given in any order.
Upon running Virus_Checker will first check your memory for viruses
and tell you if any where detected. They will either be removed or
disabled. Next all disks in the drives will be checked. Any disk put
into any drive (df0: to df3:) will be checked. The rest is easy
Sometimes the machine may GURU when it disables the LAMER
Exterminator virus in memory but if you reboot it should be gone.
Virus Checker will check the startup-sequence file for the Xeno
virus. If it finds this virus it will let you check all the files on
any drive for the virus. If you want to check a disk for this virus
then put the disk in any drive. Make sure the Virus_Checker window is
active the press and release the right mouse button. This will bring
up a requester asking you which drive to check. Enter the drive name
in the box, eg. DF0:, DH1:,RAD: etc. It will then check all the files
on that drive. You can also enter directories if you want to eg, c:
df0:c, df0:libs etc. When Virus_Checker is scanning the disk and you
know that a directory is clear and don't want to check it press
control-d in the window with the filenames and Virus_Checker will
ignore that directory and go back up one level. If you want to stop
the check completely press control-c in the window with the filenames
and Virus_Checker will print a break message then stop scanning the
disk and go back to normal scanning.
If Virus_Checker brings a requester up that says a program just run
has infected your memory with the Xeno Virus, it has already disabled
it. You should immediatly check all files on the disks that are in
the drives at that time. This means that a program that you just ran
or a program some other program just ran is infected with the virus
and all files should be checked to find out which one it was.
With viruses which use a RomTag I have decided to clear out all
RomTags to make sure I remove the Viruses from the list. In doing
this you will lose things like Recoverable ram disks such as RAD:,
VD0: etc. If You have a virus make sure that you save anything in the
ram disks that you want before rebooting. The ramdisks and others
will disappear on a reboot. My policy is better safe than sorry.
If VC finds a disk infected with the Saddam virus, then it is best to
run the FixSaddam program over the infected disk to recover any stuff
the virus may have altered. This will be in the form Volume XXX has a
Read/Write error. FixSaddam will fix most of the damage done by the
virus but cannot recover anything if the virus ha been triggered.
BRAINFILE ADDITION
I have added a BrainFile to Virus_Checker as of Version 5.13. When VC
finds a Non-Standard bootblock It will bring up 4 gadgets. The new
Gadget id Learn. Pressing this will allow VC to remember this
BootBlock and not bother you aging with it. To do this VC writes a
file called VCBrainFile to the S: directory. If you have a single
drive this will invoke a requester asking that Volume something be
put in the drive. This will then save to the file. On Startup VC will
check for the file in the S: directory and read it if it is there. If
not it will carry on without it. If you get an error then VC will
tell you about it and will happily write over the file next time.
Have fun with this bit.
V1.0 was an arp.library version
V1.1 was an port to the normal libraries
V1.2 had the ByteBandit virus detection added into it
V1.3 had detection of the 3 Viruses in memory and removal of them
V1.4 added code to detect + remove the Byte Warrior Virus from
memory and disk
V1.41 found a slight bug when using DSM to disassemble this
the program was testing low memory instead of a value when
checking for the Revenge Virus
V1.42 changed code to be assembled by the CAPE 68K assembler
which is much faster than A68k or Assem. Now also uses base
register addressing mode for data access
V1.43 changed code to cut down executable code
V2.0 added Pentagon, System Z, North Star, Obelisk and the
new IRQ virus which lives in files and not in the Boot Block
V2.1 corrected a few little bugs in program
V3.0 Did a listing of Source code and found many bugs
Did a major rewrite to clean it up and saved about 400 bytes
V3.0 now checks for the viruses listed
SCA, AEK, Byte Bandit, Byte Warrior, Revenge, Pentagon Circle
System Z, North Star, Obelisk, Disk-Doktors and the latest IBM
type virus the IRQ virus.
V3.01 got a new virus. Lamer Exterminator. added code to get rid of
it
V3.02 got a second Version of the LAmer Exterminator virus
V3.03 After many requests decided to add checking of BootGirl
BootBlocks which where being registered as Non-Standard. It now
Just Ignores BootGirl BootBlocks
V4.00 Updated to make better use of the Stack. Now store all
variables on the stack for a saving of 124 bytes in the
Executable V4.10 TimeBomb virus added to code
V4.20 Altered startup code to start a separate process to avoid doing
a RunBack -2 Virus_checker
V4.22 Added Gadaffi virus to checker
V4.23 Found a potentially Fatal Error in Code When accessing Unit
Byte off the Stack.
V4.24 Added Graffiti, Ultra Fox, and Phantasmumble Viruses
Don't actually have these last 3 viruses so Anyone please send
them to me if you find them. Still looking for the IRQ Virus as
well.
V4.25 Added BSG9 virus to code
V4.26 Changed Error Checking on BSG9 virus abit
V4.27 Got the War Hawks virus and added it. Also added V3 of Lamer
exterminator virus. Changed checking for BSG9 virus. Now checks
when disk is inserted into drive
V4.28 Found I was losing the memory that was used by the program when
it exited. This was caused by me not UnLoading the Segment used
for the program. Fixed
V4.29 Found program got into a continuous loop when there where no
RomTags present in the system. Fixed. Also cut code size down
abit more by combining a few checks
V4.30 Put further checking in for the BSG9 virus as sometimes the
checker would not find the file on the disk depending on which
directory it was in. Put VKill virus checking in Also Ultra Fox
and PVLProtector virus checking in V4.40 Put in DosSpeed virus
and an Unknown virus.It does not have any names at all
V4.41 Stopped Requester that comes up after pulling disk out.
V4.42 Added JITR virus which was sent to me by Jonathan Potter (AUST)
V4.43 Added MicroSystems virus checking to code and BootBlock
checking of the HCS II, Opapa, BackFlash, and Australian
Parasite viruses
V4.44 Changed code around abit to get better use of tables
and added Xeno virus check for Memory only
V5.00 Changed user interface to give a new look and better messages
V5.01 Major Bug repaired. V5.00 GURU'ed when checking disk. Worked
with 68020 CPU but failed on standard Amiga's due to a bad
address.
V5.02 Was not checking startup-sequence properly when disk was put in
3 1/2" drive when a filename was given as C:SetCPU or something
like that. Came up with a strange filename not being checked.
Fixed Added second version of Byte Bandit Virus, Someone hacked
it Added code to remove Xeno virus from files
V5.03 Slight bug corrected in code
V5.04 Have changed this from PD to Freely Redistributable after an
offer from someone to sell Virus_Checker. I feel this still
needs to be at minimal (copying charge) or no charge to be
effective. Also cleaned up the code abit. This may introduce
new bugs so .please tell me about them if you find them
Added checking of IRQ virus when checking for Xeno files on
disk. As the file is in the buffer already this adds very litle
extra time to the check. And better safe than sorry.
V5.05 Changed text when Xeno Virus found after a program has been run
to warn that the program just run maybe the culprit
V5.06 Added 16 Bit crew Virus, New Alien Beat Virus, Digital Emotions
virus, Graffiti Virus, two new versions of the Byte Bandit
virus, ScarFace virus, Turk virus, Joshua virus Also a little
bug when used with NTSC machines. You could not display the
Boot Block Sectors. Now Startup alters for which machine it is
on. The Startup code is only used once and then the memory for
it is freed.
V5.07 Added better Error messages when an error occurs with Files.
It will now say File protected from deletion when the file is
protected instead of just saying could not open file. Added
Butonic virus to checker
V5.08 Added Centurions virus to checker
V5.09 Got Aids virus but this is a mutant VKill virus and is found
already Added Coders nightmare virus to checker Added Forpib,
GX Team, Gremlins, and Kauki Virus Added Centurions and Butonic
virus check when scanning disk V5.10 Finally got IRQ virus and
corrected a few bugs in its code. Added Target, Clist, Abraham,
and FAST virus. This fast virus is supposed to be from the
Frederation again'st Software theft. If it is they are then
just as big a arseholes as the pirates themselves. Added Tick
virus Added control-c, control-d to multiscan pass so as to
stop the scan if you got the wrong directory or drive.
V5.11 Slight bug in removing BSG9 virus if virus not in devs:
directory. Also was picking up some game files as Butonic
virus.
V5.12 Virus_Checker was finding WB2.0 reboot code as the HCS II virus
This code may not be in the final release but it is at the
moment. Also SetPatch code moved abit. Seems to be the same but
different V5.13 Added a Brain File so that you can remember the
BootBlocks that You want to. Games etc. No new viruses added
V5.14 Added a feature to allow checking for link viruses on startup
eg. virus_checker dh0: will check dh0: before carrying on as
usual
V5.15 Slight bug found with brain file
V5.16 ULDV8 virus added. Uses VertB int and RomTag. Very Tame virus
Also fixed up bugs when using Enforcer. Showed up some reads to
None existant memory.
5.17 Added OP1 virus. Seemed to confuse VC into think it had a
standard Boot block unless write protected.
5.18 HAd to add extra checking for IRQ virus as it found a program
that matched IRQ and VC crashed trying to remove the IRQ virus
which wasn't there
5.19 Added a much asked for feature so that you can tell VC where to
put it's window
5.20 Added a width parameter as well. Also added 1 new virus called
the SADDAM virus. This virus lives as the Disk-Validator and can
infect an Amiga simply by putting a disk in the drive.
5.21 Added the CCCP virus to the checker
5.22 Added another version of the Joshua virus. Also fixed bug that
occured when checking for file viruses and a name was in the
File Header Added -q option to make VC check and then quit
*********************************************************************
NON-STANDARD BOOT CODE
- When Virus_Checker brings up a Requester that says the disk has
non-standard boot code this means that the code in the boot block is
not what should be there. This does not mean that it is a virus as
many games use copy protection in their boot blocks. You should
however be cautious if it is not a game. Do not replace the boot
block if you are not sure. If something strange happens then please
send a copy of the disk to me so that I can check it out. Here is a
way of checking non-standard boot code
1. Format a blank disk so you know it is clear.
3. Make sure all disks except the one just formated are write
protected
3. Boot from the disk that you suspect.
4. Place formatted disk in drive zero and then reboot.
5. Take disk out of drive zero and turn off computer for about
30 secs.
6. Run the Virus_Checker program. If the Virus_Checker finds
non-standard boot code on the newly formated disk you have
found a new virus. Please send it to me
Viruses Dealt With:
-------------------
SCA
- The SCA is the simplest virus to deal with, as it's not actually
DOING anything except hiding in memory, until you reboot. We just
look at CoolCapture and fix it to get it out of RAM.
AEK
- This is a clone of the SCA virus and we get rid of it in the same
manner
LSD
- Another SCA clone and uses the same code
Byte Bandit (Now 4 versions)
(Amiga Freak)
- The Byte Bandit virus takes the DoIO() vector and re-directs it
through itself. Thus, any attempt to read or write the boot block
(ie, AmigaDOS trying to figure out what kind of disk it is) results
in the BB writing itself onto that disk. We couldn't just rewrite the
boot block, we have to get him out of RAM first. This virus also has
an interrupt that crashes the machine every 5 minutes or so after
it's infected a few of your disks. Ow. It stays in memory not via the
Capture vectors, but by a Resident module. When machine looks crashed
press these keys at the same time from left to
right LAlt,LAmiga,Space,RAmiga,RAlt. This will restore things for
another 5 minutes
Revenge
- Basically, a Byte Bandit clone except it will bring up an obscene
pointer a few minutes after you reboot. We treat it much like the
byte bandit.
Byte Warrior
- Jumps right into 1.2 Kickstart. Won't work under 1.3.
Hangs around via Resident struct, doesn't do any damage.
North Star/ StarFire
- Like SCA, hangs around via CoolCapture, killing CoolCapture kills
the North Star.
Obelisk Softworks Crew
- Hangs around via CoolCapture, also watches reads of DoIO() (but
doesn't infect EVERY disk - only ones you boot off of)
IRQ
- This is the FIRST Non-Bootblock Virus. It copies itself from place
to place via the first executable program found in your
startup-sequence. It SetFunction's OldOpenLibrary(), has a
KickTagPtr, and lives in the first hunk of an infected program.
Pentagon Circle
- This one looks at the DoIO vector, and has a CoolCapture vector.
It will write itself over any virus inserted, but not onto anything
else. No danger, easy to eliminate. Holding left button while booting
with this one shows different screen colour, but doesn't get rid of
it.
HCS Virus
- Hooks into the System Z protector
- This is another virus protector that can write itself to disks.
Anything that spreads itself, under any name, is a virus. Doesn't do
anything except during a reboot, then examines disks and writes over
viruses.
Disk-Doktors
- This is another virus which looks at the DoIO routine for the
reading of any bootblocks. If it finds one it will rewrite a copy of
its code to it if it can. This one also patches into the Vertical
Blank interrupt and seems to format you disk after a certain number
of interrupts (can't be sure though). The nasty bit is it also
creates a task called clipboard.device which spends its life copying
itself through memory fragmenting the memory into small blocks.
Calls ROM CODE direct so wont work under V1.3. We restore the DoIO
routine, the Vert Blank interrupt and RemTask the clipboard.device
LAMER Exterminator
- This virus was sent to me by Andrew Mercer of the Palmerston North
group. His letter said that He noticed strange things on his disks.
On disassembling the virus I found that most of it was encrypted and
the data was encrypted randomly using the beam position of the
screen. Thus it appears different each time. It patches the
trackdisk.device to look at reads and writes, It patches the Sumkick
vector in exec in case someone tries to get rid of it. When it
detects a read or a write it will randomly select a sector on the
disk and will check if it is a data block. If it is it will write
LAMER! all over the sector and rewrite it. Some say this Virus will
write to write protected disks. I have not had this happen to me
and I can see no special code in the disassembly to accomplish this
feat.
TimeBomb Virus
- This is a strange Virus. It does not insert itself into any
vectors.However it will copy itself back to the disk it came from.
When the count gets to 2 it will wipe out the Root Directory of the
boot disk and display an alert. If the count is over 2 it will just
display and alert
GADAFFI Virus
- Inserts itself into the CoolCapture vector, Uses a RomTag
structure and patches the DoIO vector Jumps directly into the
Kickstart so will only work under V1.2 Kickstart. After 13 copies it
will Step the Heads of drives 0 and 1 in and out. We simply clear all
vectors and Use the old V1.2 DoIO code entry point
BSG9 Virus
- This is similar to the IRQ virus in that it does not live in the
Boot Block. It operates differently. Inserts itself into the RomTag
pointer. It then loads the program it replaced and executes it. On
Reboot the RomTag is called. It patches the Intuition OpenWindow
Routine to its code. It then returns. Once AmigaDos opens up the CLI
window the virus code gets run. This gets the startup-sequence file
and gets the first command that is run. It then checks if it is
already here. No, then it moves this program from it's directory into
the devs: directory and renames it a strange name.It then copies
itself to replace the command it just moved. A give away is the file
size. The Virus size is 2608 bytes and there will be a file with what
looks like spaces for its name in the devs: directory. To get rid of
we copy the file in devs: back to the c: directory and rename it.
Then delete the file in the devs: directory. In memory all we do is
change the RT_INIT code which is run on reboot to do an immediate RTS
The memory for the program is still used but the Virus is disabled.
It will display a screen of its own which says
A Computer Virus is a disease
Terrorism is a Transgression
Software Piracy is a crime
This is the Cure
BSG9 plus some other junk
War Hawks
- This Virus installs itself into the CoolCapture Vector. It copies
itself to the disk when the computer is warm booted. After every four
copies, it displays a message. To get rid of it we simply clear the
CoolCapture vector.
VKill or Aids Virus
- This is another virus hidden as a Virus protector. When booted it
copies itself to the stack area that is not used. It then patches the
CoolCapture vector to survive a reboot. It patches the PutMsg vector
of ExecBase to watch for BootBlock reads and writes. When it finds
one it checks it and tells you if a virus is present. If you want to
get rid of it it will copy itself to the disk. To remove it we Clear
the CoolCapture Vector and SetFunction the PutMsg vector
Ultra Fox
- This one lives in the CoolCapture vector. When you reboot it will
change the DoIO vector and wait for a BootBlock read. When it finds
one and the disk is not already infected it will write itself to the
bootblock. After every 16 copies it will put a custom copper list
which displays greetings
PVLProtector
- This one is another bootblock protector. When it finds a virus it
will write itself to the disk instead of a proper bootblock. All we
do is set the RomTag to do a RTS
DosSpeed
- This is another file virus. It is supposed to speed up disk
operations by 800%. This was found on a BBS and when run patches
itself into several places. It will read the s:startup-sequence file
on reboot and will edit it so that it runs itself as the program. It
sticks out because the first line in the startup-sequence will be
blank. When the Checker finds it look in the Root directory and you
will find what looks like a blank filename. Virus Checker will rename
this virus for you. You can then delete the virus and alter your
startup-sequence to get rid of the first blank line.
UnKnown
- This is a virus that has no names anywhere and will only work
under V1.2 Kickstart. Very easy to get rid of.
JITR Virus
- Very mild sort of virus this one. Only writes itself to the
BootBlock. Does nothing else. Easily fixed by clearing the
CoolCapture vector
MicroSystems
- Haven't got this one yet so can't tell you much about it. Just
have to restore a vector in the Exec.library and clear the Exec
CoolCapture vector.
Xeno Virus
- This virus is a very nasty one in the way that it infects all
programs that can be run. It does not need the program to be run but
even someone doing a list or dir on a disk when the virus is present
will infect all those other files on disk. It patches into the
dos.library and takes over the OPEN,LOCK and LOADSEG calls in dos.
This way it can intercept the files being looked at. It will copy
itself to the start of every runnable program and alter the file so
that it still works. There is also an encrypted message which says
'Greetings from the Xeno Virus' but I have not worked out when this
appears yet. To get rid of it from memory we have to reset the
changed vectors. To get rid of it from the file is very much harder.
First the file has to have the virus removed from the code. Then the
relocation data pointers have to be changed so that everything still
works. When Virus_Checker finds a file infected with the Xeno Virus
it will tell you which file it is and bring up a requester. You can
now check the files on drive zero for furthur viruses if you want. I
will soon add a string gadget so that all drives can be checked.
16 Bit Crew
- This virus does not do much and only infects disks that you boot with.
To get rid of it from memory we clear the CoolCapture Vector and restore
the DoIO vector.
New Alien Beat Virus
- This one will only work under Version 1.2 Kickstart as it jumps
into the ROM code directly. To fix in memory we have to manually
patch the DoIO vector and FindResident Vector with the correct values
for 1.2. and clear the Capture vectors.
BlackFlash virus
- This virus will display a message after a certain ammount of
copies of it have been made. It says that your computer is sick and
has a virus. To remove it we just restore the DoIO vector and clear
out the capture vectors.
Digital Emotions virus
- This is another tame virus. Only infects disks when it is
rebooted. Clean out the Captures vectors and it is gone.
ScarFace Virus
- This takes over the BeginIO routine in the trackdisk.device to
watch for reads and writes to the disk. When it finds one, it will
write itself to the disk. It also has a VertBlank intterupt which
will do something after awhile. I think it only reboots the machine.
It also has a romtag which we have to clear out.
Turk Virus
- Another simple virus. Does not do very much. Simple to get rid of
Joshua Virus
- Again, lives in the TrackDisk BeginIO and VertBlank Intterupt.
Also has a RomTag to survive reboots. This one will display a sprite
after so many intterupts. I am not sure what it looks like but maybe
someone wants to wait until it is triggered. It counts intterupts. It
will also infect every disk but in the drive that is not write
protected. Data in it that says something is encoded. To remove we
simply restore the BeginIO code and VertBlank Interrupt and wipe out
the RomTag.
Butonic Virus
- This is another file type virus. It uses the DoIO vector to check
for reads to the Root Block of a disk. It wil then write the virus to
the disk and add it to the startup-sequence as the first instruction.
The filename of the virus and its comment make it invisible when
doing a dir but shows up with a list. This will also bring up GURU
messages and change the title of the active window to some German
stuff. To get rid of it we clear the ROMTAG, restore the DoIO vector
and delete the file off the disk. You will need to remove the blank
line from the startup-sequence where the virus was.
Centurions Virus
- Another file type virus. It hooks into the Trackdisk BEGINIO
vector and waits for reads to the boot block of a disk. It changes
the SumKickData vector so that it will survive a checksum. To get rid
of it in memory we simply kill the RomTag vector, restore the
SumKickData vector and patch the trackdisk code it uses to skip over
the virus. When it finds a read to the bootblock it will check the
write protect. It will then find the startup-sequence and find the
name of the first command. It then looks for the command in the root
directory, then the c directory. Once found it adds itself to the
front of the file and is run when the startup-sequence is run again.
Signs of infection are that it adds 3916 bytes to the size of the
file it infects. After every ten copies it will change the pointer to
a smily face and a message will scroll across it
Coders Nightmare Virus
- A boot block virus. Fairly tame this one but it will wreck copy
protected disks. It takes over the DoIO vector waiting for reads to
track zero block 0 then it writes itself to the disk if it can. It
has a level 2 interupt which after a time will display a message and
then reboot the machine. To remove we just reset the DoIO and Level 2
Interupt vectors and clear out the RomTag.
Forpib Virus
- Another boot block virus. It takes over the Trackdisk BeginIO
vector and waits for reads to block 0. Then it copies itself if it
can. It also has a VertBlank Interrupt and after a certain time a
message will appear. (I think). There is a bug in this in that it
tries to use a color register but it has got the wrong value in
there. To remove just restore both vectors and remove the RomTag.
GX Team virus
- Yet another bootblock virus. This just takes over the DoIO vector
and after a certain number of copies it will bring up a requester
then guru. To remove replace the DoIO vector and clear RomTag and
Capture vectors. This virus will only work under version 1.2
kickstart.
Gremlins virus
- Yes another bb virus. Sickening isn't it. Don't know what this one
does but very easy to remove. Just zero the Capture vectors, restore
the SumKickData vector and DoIO vector and it's gone.
Kauki virus
- This boot block virus will only work under Version 1.2 kickstart.
As I don't have it I can't tell you what is displayed but something
is displayed. Easy to get rid of. Just clear the Capture vector and
set the DoIO vector to $FC06DC just to make sure.
Have given up Telling what BootBlock viruses do as they are mostly
the same and all work the same way. From now on I will only give
desciptions on File
Type viruses.
SADDAM virus
- This is a file type file that hides itself as the Disk-Validator.
The disk on which it came was unvalidated so AmigaDOS loaded it to
try and validate the disk. This causes the virus to run and infect
your machine. It does infect alot of vectors that need fixing when it
is found. I just wipe it off the disk and it is left to the user to
put a new Disk-Validator on the disk. It will change the root block
BitMap pointer so that if the virus is not running AmigaDOS will
think the disk is UnValidated and load the virus. It will also change
DATA blocks so DOS does not know them unless the virus is running.
When the virus is triggered it will wipe out the whole disk and
bring up a Requester telling you it is the SADDAm virus
CCCP virus
- This a combination Bootblock and file virus. It changes itself so
that it will write to the BootBlock and to random files on the disk.
The only way to find it on disk is to scan the whole disk